At AES’00, a collision attack on 7round reduced AES was proposed. In this paper, we apply this idea to seven SPN block ciphers, AES192/256, Crypton192/256, mCrypton96/128, and Anubis. Applying our attacks on AES192/256, we improve the attack result based on meetinthemiddle attack (AES192) and the attack result proposed in AES’00 (AES256), respectively. Our attack result on Anubis is superior to known cryptanalytic result on it. In the cases of Crypton192/256 and mCrypton96/128, our attacks are applicable to 8round reduced versions. The attack results on mCrypton96/128 are more practical than known cryptanalytic results on them.
Recently, meetinthemiddle attack has received attention. The attack procedure of meetinthemiddle attack can be summarized as follows. Let
In this paper, we apply the main idea of [
Our attack results on AES192/256, Crypton192/256, mCrypton96/128, and Anubis.
Target Algorithm  Attack  Number of rounds  Data complexity  Computational complexity 

AES 
MitM [ 



RKABA [ 


 
CA (This paper) 


 
 
AES 
CA [ 



RKBA [ 


 
CA (This paper) 


 
 
Crypton192/256  TDC [ 



CA (This paper) 


 
 
mCrypton 
RKIDC [ 



CA (This paper) 


 
 
mCrypton 
RKIDC [ 



CA (This paper) 


 
 
Anubis  CA [ 



Square [ 


 
CA (This paper) 



MitM: meetinthemiddle attack.
TDC: truncated differential cryptanalysis.
RKABA: relatedkey amplified boomerang attack.
RKBA: relatedkey boomerang attack.
RKIDC: relatedkey impossible differential cryptanalysis.
CA: collision attack.
Crypton is a
A
Anubis is a block cipher submitted to the NESSIE project and operates on data blocks of
The rest of this paper is organized as follows. In Section
First, we briefly present AES
AES
Internal state of AES
In round
SubBytes (SB): applying the same
ShiftRows (SR): cyclic shift of each row (the
MixColumns (MC): multiplication of each column by a constant
AddRoundKey (ARK): XORing the state with a
The SB, SR, MC, and ARK transformations are applied to each round except that MC is omitted in the last round. Besides, before the first round, an extra ARK is applied, which we call a whitening key step. For the more detailed descriptions of AES
In our attack on AES, we use a
(i)
(ii)
By using
Note that each
Applying the above procedure repeatedly, as shown in (
Note that this equation consists of five parts as follows:
We can express
On the other hand, our attack on AES recovers a
Now, we show how to exploit a
Similarly to the previous subsection,
Our attack procedure on AES is as follows (see Figure
Construct
For each
Select
Guess
choose different two sets
if all 25 pairs satisfy (
The attack procedure on AES
The data complexity of this attack is
In this section, we present collision attacks on 8round reduced Crypton192/256 and mCrypton96/128. Our attacks on 8round reduced mCrypton96/128 are similar to them on 8round reduced Crypton192/256. Thus, we mainly introduce the attacks on 8round reduced Crypton192/256. Furthermore, similarly to the attacks on AES192/256, the attack procedure on Crypton192 (mCrypton96) is the same as that on Crypton256 (mCrypton128). Thus, for the simplicity of notations, we just call them Crypton192/256 (mCrypton96/128) and Crypton (mCrypton). First, we briefly present Crypton and mCrypton.
As shown in Figure
(a) Crypton and (b) mCrypton.
Internal state of Crypton and mCrypton.
Similarly to AES192/256, in round
The round function
For the more detailed descriptions of Crypton, we refer to [
mCrypton is a 64bit lightweight block cipher designed for use in lowcost and resourceconstrained applications such as RFID tags and sensors in wireless sensor networks. As shown in Figure
First, we explain the way to find a distinguisher of Crypton. By using a similar method in the attack on AES192/256, we can also construct a 4round distinguisher of Crypton. Furthermore, because of the weak diffusion property of Crypton, we can extend this distinguisher to a 5round distinguisher of it. In detail, our attacks on an 8round reduced Crypton consider a 5round distinguisher of round 2
Recall that, in the attack on AES192/256, an equation on
On the other hand,
Thus, we use the following equation as a checking equation (note that, in the case of the attack on AES192/256, a checking equation is (
The overall attack procedure is similar to the case of AES. Figure
The attack procedure on Crypton192/256 and mCrypton96/128.
The complexities of this attack are as follows:
the data complexity:
the memory complexity:
the computational complexity:
So far, the best attack result was the truncated differential cryptanalysis on
As shown in Figure
Since the size of internal state of mCrypton is half of that in Crypton, the complexities of the attack on mCrypton are half of them on Crypton. The complexities of the attack on mCrypton are as follows:
the data complexity:
the memory complexity:
the computational complexity:
In [
First, we present Anubis, and then a collision attack on an
As shown in Figure
Anubis.
Anubis processes blocks of
The round function of Anubis consists of sixteen
For the more detailed descriptions of Anubis, we refer to [
Our attack on an
On the other hand,
The attack procedure on an
the data complexity:
the memory complexity:
the computational complexity:
The attack procedure on Anubis.
So far, the best attack results on Anubis are a collision attack and a square attack on a
In this paper, we have introduced collision attacks on seven SPN block ciphers, 7round reduced AES192/256, 8round reduced Crypton192/256, 8round reduced mCrypton96/128, and an 8round reduced Anubis. Our attacks are based on the idea of [
Our attacks on
The authors declare that there is no conflict of interests regarding the publication of this paper.
This research was supported by the Ministry of Science, ICT & Future Planning (MSIP), Korea, under the Convergence Information Technology Research Center (CITRC) Support Program (NIPA2013H0301133007), supervised by the National IT Industry Promotion Agency (NIPA).